Tag: Security
-
Election 2008: What Might Go Wrong
Tomorrow, as everyone knows, is Election Day in the U.S. With all the controversy over electronic voting, and the anticipated high turnout, what can we expect to see? What problems might be looming? Here are my predictions. Long lines to vote: Polling places will be strained by the number of voters. In some places the…
-
Report on the Sequioa AVC Advantage
Today I am releasing an in-depth study of the Sequoia AVC Advantage direct-recording electronic (DRE) voting machine, available at citp.princeton.edu/voting/advantage. I led a team of six computer scientists in a monthlong examination of the source code and hardware of these voting computers, which are used in New Jersey, Pennsylvania, and other states. The Rutgers Law…
-
Hot Custom Car (software?)
I’ve found Tim’s bits on life post-driving interesting. I’ve sometimes got a one-track mind, though- so what I really want to know is if I’ll be able to hack on that self-driving car. I mentioned this to Tim, and he said he wasn’t sure either- so here is my crack at it. We’re not very…
-
Popular Websites Vulnerable to Cross-Site Request Forgery Attacks
Update Oct 15, 2008 We’ve modified the paper to reflect the fact that the New York Times has fixed this problem. We also clarified that our server-side protection techniques do not protect against active network attackers. Update Oct 1, 2008 The New York Times has fixed this problem. All of the problems mentioned below have…
-
How Yahoo could have protected Palin's email
Last week I criticized Yahoo for their insecure password recovery mechanism that allowed an intruder to take control of Sarah Palin’s email account. Several readers asked me the obvious follow-up question: What should Yahoo have done instead? Before we discuss alternatives, let’s take a minute to appreciate the delicate balance involved in designing a password…
-
Palin's email breached through weak Yahoo password recovery mechanism
This week’s breach of Sarah Palin’s Yahoo Mail account has been much discussed. One aspect that has gotten less attention is how the breach occurred, and what it tells us about security and online behavior. (My understanding of the facts is based on press stories, and on reading a forum post written by somebody claiming…
-
Cheap CAPTCHA Solving Changes the Security Game
ZDNet’s “Zero Day” blog has an interesting post on the gray-market economy in solving CAPTCHAs. CAPTCHAs are those online tests that ask you to type in a sequence of characters from a hard-to-read image. By doing this, you prove that you’re a real person and not an automated bot – the assumption being that bots…
-
What's the Cyber in Cyber-Security?
Recently Barack Obama gave a speech on security, focusing on nuclear, biological, and infotech threats. It was a good, thoughtful speech, but I couldn’t help noticing how, in his discussion of the infotech threats, he promised to appoint a “National Cyber Advisor” to give the president advice about infotech threats. It’s now becoming standard Washington…
-
Transit Card Maker Sues Dutch University to Block Paper
NXP, which makes the Mifare transit cards used in several countries, has sued Radboud University Nijmegen (in the Netherlands), to block publication of a research paper, “A Practical Attack on the MIFARE Classic,” that is scheduled for publication at the ESORICS security conference in October. The new paper reportedly shows fatal security flaws in NXP’s…
-
NJ Election Day: Voting Machine Status
Today is primary election day in New Jersey, for all races except U.S. President. (The presidential primary was Feb. 5.) Here’s a roundup of the voting-machine-related issues. First, Union County found that Sequoia voting machines had difficulty reporting results for a candidate named Carlos Cedeño, reportedly because it couldn’t handle the n-with-tilde character in his…